Attributing Network Address Translation Device Processed Traffic to Individual Hosts

1. A method for profiling network traffic, comprising: capturing, from the network traffic using a packet capturing device, a plurality of packets, the packet capturing device configured to collect network data for providing to a network traffic profiling tool, the network traffic profiling tool being separate from the packet capturing device; identifying a first portion of the captured plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, the first flow including an NAT message sent from the NAT device to a predetermined host device coupled to the NAT device, wherein the NAT message is also captured by the packet capturing device; extracting, by a hardware processor included in the network traffic profiling tool separate from the NAT device, a first data item from the captured NAT message, wherein the first data item is inserted into the captured NAT message by the NAT device for identifying a first host device coupled to the NAT device; and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

2. The method of claim 1 , further comprising: identifying a second portion of the plurality of packets as a second flow based at least on the common IP address further assigned to each packet of the second flow by the NAT device; extracting, by the hardware processor, a second data item from the second flow, wherein the second data item is inserted into the second flow by the NAT device for identifying a second host device coupled to the NAT device; and determining, by the hardware processor based on the second data item, that the second flow is generated by the second host device, wherein the first data item and the second data item are extracted based on an NAT profile of the NAT device.

3. The method of claim 2 , further comprising: analyzing the NAT profile to determine that the first data item comprises a port number assigned by the NAT device to the first flow; further analyzing the NAT profile to determine a port range assigned to the first host device by the NAT device; and comparing, by the hardware processor, the port number and the port range to determine a match, wherein determining that the first flow is generated by the first host device is based at least on the match.

4. The method of claim 2 , further comprising: analyzing the NAT profile to determine that the first data item comprises an identifier of the first flow that is embedded by the NAT device in a header field of at least one packet of the first flow; wherein extracting the first data item comprised extracting the identifier from the header field, and wherein determining that the first flow is generated by the first host device is based at least on the identifier.

5. The method of claim 4 , wherein the header field comprises at least one selected from at least one of an IP option field and a Transmission Control Protocol (TCP) option field.

6. The method of claim 2 , further comprising: capturing an NAT message sent from the NAT device to a pre-determined network device, wherein the pre-determined network device is separate from the hardware processor, wherein the NAT profile is embedded in the NAT message by the NAT device; and extracting, in response to capturing the NAT message, the NAT profile from the NAT message.

7. The method of claim 6 , wherein the first portion of the plurality of packets is captured from a link coupling a first computer network and a second computer network, wherein the first computer network comprises the NAT device and the first host device, wherein the second computer network comprises the pre-determined network device and a third host device, wherein the first flow is exchanged between the first host device and the third host device, wherein the NAT message sent from the NAT device to the pre-determined network device is captured by the hardware processor from the link, and wherein the NAT profile is extracted by the hardware processor from the captured NAT message.

8. A system for profiling network traffic, comprising: a network address translation (NAT) device configured to translate Internet Protocol (IP) addresses and port numbers for host devices coupled to the NAT device; a first host device and a second host device coupled to the NAT device; a packet capturing device configured to collect network data; a network traffic profiling tool, the network traffic profiling tool being separate from the packet capturing device and separate from the NAT device, the network traffic profiling tool including a hardware processor; and memory comprising instructions executable by the processor of the network traffic profiling tool, wherein the instructions comprise: an acquisition module configured to: obtain a plurality of packets captured by the packet capturing device from the network traffic; and identify a first portion of the captured plurality of packets as a first flow based at least on a common IP address assigned to each packet of the first flow by the NAT device, the first flow including an NAT message sent from the NAT device to a predetermined host device coupled to the NAT device, wherein the NAT message is also captured by the packet capturing device; and a host analyzer configured to: extract a first data item from the captured NAT message, wherein the first data item is inserted into the captured NAT message by the NAT device for identifying a first host device coupled to the NAT device; and determine, based on the first data item, that the first flow is generated by the first host device.

9. The system of claim 8 , host analyzer further configured to: identify a second portion of the plurality of packets as a second flow based at least on the common IP address further assigned to each packet of the second flow by the NAT device; extract a second data item from the second flow, wherein the second data item is inserted into the second flow by the NAT device for identifying a second host device coupled to the NAT device; and determine, based on the second data item, that the second flow is generated by the second host device, wherein the first data item and the second data item are extracted based on an NAT profile of the NAT device.

10. The system of claim 9 ; the host analyzer further configured to: analyze the NAT profile to determine that the first data item comprises a port number assigned by the NAT device to the first flow; further analyze the NAT profile to determine a port range assigned to the first host device by the NAT device; and compare the port number and the port range to determine a match, wherein determining that the first flow is generated by the first host device is based at least on the match.

11. The system of claim 9 ; the host analyzer further configured to: analyze the NAT profile to determine that the first data item comprises an identifier of the first flow that is embedded by the NAT device in a header field of at least one packet of the first flow; wherein extracting the first data item comprised extracting the identifier from the header field, and wherein determining that the first flow is generated by the first host device is based at least on the identifier.

12. The system of claim 11 , wherein the header field comprises at least one selected from at least one of an IP option field and a Transmission Control Protocol (TCP) option field.

13. The system of claim 9 , further comprising an NAT message analyzer configured to: capture an NAT message sent from the NAT device to a pre-determined network device, wherein the pre-determined network device is separate from the hardware processor, wherein the NAT profile is embedded in the NAT message by the NAT device; and extract, in response to capturing the NAT message, the NAT profile from the NAT message.

14. The system of claim 13 , wherein the first portion of the plurality of packets is captured from a link coupling a first computer network and a second computer network, wherein the first computer network comprises the NAT device and the first host device, wherein the second computer network comprises the pre-determined network device and a third host device, wherein the first flow is exchanged between the first host device and the third host device, wherein the NAT message sent from the NAT device to the pre-determined network device is captured by the hardware processor from the link, and wherein the NAT profile is extracted by the hardware processor from the captured NAT message.

15. A non-transitory computer readable medium embodying instructions for profiling network traffic, the instructions when executed by a processor comprising functionality for: capturing, from the network traffic using a packet capturing device, a plurality of packets, the packet capturing device configured to collect network data for providing to a network traffic profiling tool, the network traffic profiling tool being separate from the packet capturing device; identifying a first portion of the captured plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, the first flow including an NAT message sent from the NAT device to a predetermined host device coupled to the NAT device, wherein the NAT message is also captured by the packet capturing device; extracting, by a hardware processor included in the network traffic profiling tool separate from the NAT device, a first data item from the captured NAT message, wherein the first data item is inserted into the captured NAT message by the NAT device for identifying a first host device coupled to the NAT device; and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

16. The non-transitory computer readable medium of claim 15 , the instructions when executed by the processor further comprising functionality for: identifying a second portion of the plurality of packets as a second flow based at least on the common IP address further assigned to each packet of the second flow by the NAT device; extracting a second data item from the second flow, wherein the second data item is inserted into the second flow by the NAT device for identifying a second host device coupled to the NAT device; and determining, based on the second data item, that the second flow is generated by the second host device, wherein the first data item and the second data item are extracted based on an NAT profile of the NAT device.

17. The non-transitory computer readable medium of claim 16 ; the instructions when executed by a processor comprising functionality for: analyzing the NAT profile to determine that the first data item comprises a port number assigned by the NAT device to the first flow; further analyzing the NAT profile to determine a port range assigned to the first host device by the NAT device; and comparing the port number and the port range to determine a match, wherein determining that the first flow is generated by the first host device is based at least on the match.

18. The non-transitory computer readable medium of claim 16 , the instructions when executed by a processor comprising functionality for: analyzing the NAT profile to determine that the first data item comprises an identifier of the first flow that is embedded by the NAT device in a header field of at least one packet of the first flow; wherein extracting the first data item comprised extracting the identifier from the header field, and wherein determining that the first flow is generated by the first host device is based at least on the identifier.

19. The non-transitory computer readable medium of claim 18 , wherein the header field comprises at least one selected from at least one of an IP option field and a Transmission Control Protocol (TCP) option field.

20. The non-transitory computer readable medium of claim 16 , the instructions when executed by a processor comprising functionality for: capturing an NAT message sent from the NAT device to a pre-determined network device, wherein the pre-determined network device is separate from the hardware processor, wherein the NAT profile is embedded in the NAT message by the NAT device; and extracting, in response to capturing the NAT message, the NAT profile from the captured NAT message.